How can I give access to only a single index to a ...

ilaila · ‎01-08-2018

I am trying to create a role that has access to only a single index and can only view the 'search' app.

The way I created the role was by copying all the capabilities and other settings from the 'user' role to my new role. The only differences are that the 'Indexes searched by default' and 'Indexes' list are limited to only the one index I want them to see. I then went to the 'Permissions' page for the Search app and gave the new role Read+Write permissions.

After creating a dummy user and placing it in the role, I logged in and found that indeed it only had access to the search app and could not see others. However when I attempt to execute a search, no results are returned. The search query I used was: 'index=my_custom_index'. The same query works if I run it as myself (an admin).

My splunk set up is: 3 search heads, 3 forwarders, 4 indexers, and a license server. I made all of the above changes on the captain search head's UI.

Are there any steps that I am missing? And are there any other troubleshooting techniques I can use? I've tried looking at the search job logs but there are no clear indications of what permissions were missing or what caused 0 results to be returned.

somesoni2 · ‎01-08-2018

Check the job inspector and see what' the normalized query it's generating?

How can I give access to only a single index to a custom Role that I've created?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?